Safe Runner • Cool Python Apps

Static generator → Dockerfile / run

Quick filter

This tool never mounts your project or your .env by default, so the app in the container can’t read them.

Run as a non‑root UID with --cap-drop=ALL, --no-new-privileges, optional --read-only FS, and tmpfs for scratch.

Prefer the Dockerfile option for extra safety: install at build time; then run with --network none if the app is offline‑capable.

Always pin versions (e.g. coolpkg==1.2.3) to reduce supply‑chain surprises.

–

Mode

Engine

Interaction

Package spec (e.g. httpie==3.2.2 or yt-dlp[websockets])

Paste a pip install ... command (auto‑parses)

Entrypoint / CLI to run

CLI args (optional)

System packages (apt) – space separated (optional)

Mount output dir (optional)

Memory limit (MB)

CPU limit (cores)

Read‑only filesystem no‑new‑privileges drop all capabilities tmpfs /tmp & /var/tmp block network at runtime run as non‑root UID limit PIDs (256)

No host mounts, no .env exposure by default.
Numeric non‑root user (no root privileges inside the container).
--cap-drop=ALL, --no-new-privileges, optional --read-only filesystem.
tmpfs scratch space (/tmp, /var/tmp) prevents writes to the image layer.
Optional --network none after building a Dockerfile image if your app is offline‑capable.
Resource limits (--memory, --cpus, --pids-limit) to reduce blast radius.